knee-cola/evidencija-rezija
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: secure attachment download route with shareId validation

Browse Source 
Changes:
- Update attachment download link in UI to use shareId
- Add shareId validation to attachment download route
- Validate TTL before allowing attachment downloads
- Extract locationId from shareId using extractShareId helper

Security:
- Attachment downloads now validate checksum and TTL
- Prevents unauthorized access to bill attachment files
- Returns 404 for invalid/expired share links

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Knee Cola
2025-12-08 01:02:20 +01:00
parent f19e1bc023
commit bc336a9744
2 changed files with 42 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
app/[locale]/share/attachment/[id]/route.tsx
View File

@@ -1,12 +1,49 @@
import { fetchBillById } from '@/app/lib/actions/billActions'; import { fetchBillById } from '@/app/lib/actions/billActions';
import { notFound } from 'next/navigation'; import { notFound } from 'next/navigation';
import { extractShareId, validateShareChecksum } from '@/app/lib/shareChecksum';
import { getDbClient } from '@/app/lib/dbClient';
import { BillingLocation } from '@/app/lib/db-types';
export async function GET(request: Request, { params:{ id } }: { params: { id:string } }) { export async function GET(request: Request, { params: { id } }: { params: { id: string } }) {
const [locationID, billID] = id.split('-'); // Parse shareId-billID format
// shareId = 40 chars (locationId 24 + checksum 16)
const shareId = id.substring(0, 40);
const billID = id.substring(41); // Skip the '-' separator
const [location, bill] = await fetchBillById(locationID, billID, true) ?? []; if (!shareId || !billID) {
notFound();
}
if(!bill?.attachment) { // Validate shareId and extract locationId
const extracted = extractShareId(shareId);
if (!extracted) {
notFound();
}
const { locationId: locationID, checksum } = extracted;
// Validate checksum
if (!validateShareChecksum(locationID, checksum)) {
notFound();
}
// Check TTL before fetching bill
const dbClient = await getDbClient();
const location = await dbClient.collection<BillingLocation>("lokacije")
.findOne({ _id: locationID }, { projection: { shareTTL: 1 } });
if (!location) {
notFound();
}
// Check if sharing is active and not expired
if (!location.shareTTL || new Date() > location.shareTTL) {
notFound();
}
const [_, bill] = await fetchBillById(locationID, billID, true) ?? [];
if (!bill?.attachment) {
notFound(); notFound();
} }

2
app/ui/ViewBillCard.tsx
View File

@@ -100,7 +100,7 @@ export const ViewBillCard: FC<ViewBillCardProps> = ({ location, bill, shareId })
attachment ? attachment ?
<span className="textarea textarea-bordered max-w-[400px] w-full grow"> <span className="textarea textarea-bordered max-w-[400px] w-full grow">
<p className="font-bold uppercase">{t("attachment")}</p> <p className="font-bold uppercase">{t("attachment")}</p>
<Link href={`/share/attachment/${locationID}-${billID}/`} target="_blank" className='text-center w-full max-w-[20em] text-nowrap truncate inline-block mt-2'> <Link href={`/share/attachment/${shareId || locationID}-${billID}/`} target="_blank" className='text-center w-full max-w-[20em] text-nowrap truncate inline-block mt-2'>
<DocumentIcon className="h-[1em] w-[1em] text-2xl inline-block mr-1" /> <DocumentIcon className="h-[1em] w-[1em] text-2xl inline-block mr-1" />
{decodeURIComponent(attachment.fileName)} {decodeURIComponent(attachment.fileName)}
</Link> </Link>